From f7bf9474a3758f32862f9ece1b8cc55749696416 Mon Sep 17 00:00:00 2001
From: Jaden Diefenbaugh <blakcap@users.noreply.github.com>
Date: Mon, 24 Apr 2017 14:23:42 +0200
Subject: [PATCH] finish pinning down permissions, add redirect

---
 beat/web/reports/views.py | 40 ++++++++++++++++++++++++---------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/beat/web/reports/views.py b/beat/web/reports/views.py
index 4e13475df..46f5be2ad 100644
--- a/beat/web/reports/views.py
+++ b/beat/web/reports/views.py
@@ -25,7 +25,7 @@
 #                                                                             #
 ###############################################################################
 
-from django.shortcuts import render_to_response
+from django.shortcuts import render_to_response, redirect
 from django.shortcuts import get_object_or_404
 from django.template import RequestContext, Context
 from django.conf import settings
@@ -85,20 +85,30 @@ def for_author(request, author_name, report_name):
             name = report_name)
 
     isAuthor = request.user.username == obj.author.username
-
-    if not isAuthor:
-        # return 404
-        raise Http404('No %s matches the given query.' % Report._meta.object_name)
-
-    return render_to_response('reports/report.html',
-            {
-                'author'      : author_name,
-                'report_name' : report_name,
-                'owner'       : (request.user == obj.author),
-                'report'      : obj,
-                'USE_HTTPS_GRAVATAR': settings.USE_HTTPS_GRAVATAR,
-                },
-            context_instance=RequestContext(request))
+    isEditable = obj.status == 'E'
+    isPublished = obj.status == 'P'
+    isLocked = obj.status == 'L'
+
+    # if its the author and its locked, redirect to numbered url
+    # same if its published
+    if isPublished or (isAuthor and isLocked):
+        return redirect(obj)
+
+
+    # only valid when the author is accessing it and its editable
+    if isEditable and isAuthor:
+        return render_to_response('reports/report.html',
+                {
+                    'author'      : author_name,
+                    'report_name' : report_name,
+                    'owner'       : (request.user == obj.author),
+                    'report'      : obj,
+                    'USE_HTTPS_GRAVATAR': settings.USE_HTTPS_GRAVATAR,
+                    },
+                context_instance=RequestContext(request))
+
+    # return 404
+    raise Http404('No %s matches the given query.' % Report._meta.object_name)
 
 
 #------------------------------------------------
-- 
GitLab